英文:
Partially storing entity data in spring vault
问题
我一直在阅读 Vault 的文档,但仍然不确定在解决我的问题时是否理解正确。
想象一下有一个名为 "Example" 的实体。它有多个字段,比如名称,创建日期等,其中一些字段是敏感的,比如密码,密钥。
@Entity
@Table(name = "example")
public class Example {
private String name;
private Date created;
...
@Convert(converter = SomeConverter.class)
private String password;
@Convert(converter = SomeConverter.class)
private String secretKey;
}
这个实体存储在 SQL 数据库中(例如 PostgreSQL)。现在我的目标是保护密码(因此使用了转换器类),但其他数据则不需要保护。
是否可以将实体数据存储在数据库中,同时将敏感数据存储在 Vault 中(无论其背后的存储是什么)?因此,当我加载实体时,实体数据将从数据库加载,敏感数据将从 Vault 加载。
或者,正确(也是唯一可行的)的方法是仅使用 Vault 的加密/解密转换器,将其存储在同一个数据库中?并通过与 Vault 的身份验证来限制访问。
我只是困惑于在这种情况下,Vault 是否只应用于静态密钥。
英文:
I've been going through Vault documentation and I'm still not sure if I understand it correctly on which approach to take for my problem.
Imagine having an entity called Example. It has multiple fields, such as name, created, etc. and amongst these fields which are sensitive, such as password, secret_key.
@Entity
@Table(name = "example")
public class Example {
private String name;
private Date created;
...
@Convert(converter = SomeConverter.class)
private String password;
@Convert(converter = SomeConverter.class)
private String secretKey;
}
This entity is stored in an SQL database (e.g. PostgreSQL). Now my goal is to have the password secure (hence the converter class), but the rest of the data not.
Is it possible to store entity data in DB, while keeping the sensitive data stored in Vault (in whatever storage behind it)? So when I'd be loading the entity both entity data would be loaded from DB and sensitive data from Vault.
Or would the correct (and only viable) approach be to just use the encryption/decryption converter from Vault and store it in the same database? And limit this with authentication with Vault.
I'm just confused if Vault in general should only be used for static secrets in this case.
答案1
得分: 1
我会说,这取决于您/业务。
您可以将整个实体(对象)存储到保险库中,也可以只存储一个字符串。
看看这是否有帮助:
https://www.baeldung.com/spring-vault
英文:
I'd say, it's upto you/business.
You may store the entire entity(object) into vault or only a string.
See if this helps:
https://www.baeldung.com/spring-vault
答案2
得分: 0
不要将所有内容都作为机密存储到保险库中,可以存储密码,但我不认为这对于普通用户是明智的(在您的情况下,实体似乎是应用程序用户)。
使用他们的 transit 机密引擎对数据进行加密,然后存储在任何数据库中,您可以使用保险库身份验证来支持数据库访问。
如果您想在机密引擎中存储密码,可以这样做,但您需要一个服务类,在执行任何操作之前从保险库中获取密码。
英文:
Don't store everything to vault as secret, you can store password but I don't thing that's advisable for a general user(in your case entity seems to be application user).
Use their transit secret engine and encrypt the data and store in any DB, you can back DB access with vault authentication.
In case you want to store password in secret engine, you can do that but you will need a service class which will fetch the password from vault before performing any operation.
通过集体智慧和协作来改善编程学习和解决问题的方式。致力于成为全球开发者共同参与的知识库,让每个人都能够通过互相帮助和分享经验来进步。
评论